Idiomdrottning’s homepage

A proposed package alert system

Maybe package managers, I’m thinking of something like go get here, could work like this:

  1. Writing a package were easy and you could just publish a random repo anywhere.
  2. End users and admins could pull packages from any of those rando stranger’s repo but updates weren’t pushed out.
  3. Package writers could alert the package manager app team for serious security updates.
  4. The manager team would vet the fixed version, and if it was a false alarm would send out a message “don’t trust this package, they misuse the security update system” and if it was a real fix they’d send out a message telling you to update and giving you a way to optionally press “yes” right there and get their vetted version. (Or if it seems like an honest false alarm as opposed to a malicious one, just do nothing.)

In other words, when it’s business as normal, your everyday feature creep and bug fixes, it’s not centralized and there’s zero hoops to publish a package and install a package straight from the repo. When there’s danger, it is centralized and the package manager itself takes over and that team decides whether to alert or not alert.